1 minute read

Lots of interesting posts this week, with a general theme of security. From securing GitHub organisations, research on developer education, an SBOM primer and recent software supply chain issues. Plus posts on WHOIS, service operations and team building to round things out.

StackHawk sponsors Devops Weekly

StackHawk just made it even easier to get started with automated security testing with the new StackHawk CLI. Watch the technical demo and get started with just a few commands from your terminal.
https://sthwk.com/cli-demo

News

An interesting presentation with lots of collected research on helping developers adopt secure development practices.
https://speakerdeck.com/auxesis/footguns-and-factorisation-how-to-make-users-of-your-cryptographic-library-successful

Building teams is a big part of operating complex systems. This post looks at the cost of attrition, focusing on the often hidden communication cost.
https://benjiweber.co.uk/blog/2022/01/12/cost-of-attrition/

A quick take on the issue this last week with NPM around the malicious release of a popular package, with some recommendations relevant to other package ecosystems and those releasing software.
https://research.swtch.com/npm-colors

“The WHOIS protocol is one of the older internet protocols around. It’s infuriatingly simple, by and large considered obsolete, and the data provided by it is unpredictable, unreliable, incomplete, and, of course, still one of the cornerstones of internet operations.”
https://www.netmeister.org/blog/whois.html

A nice primer on SBOMs (Software Bill of Materials), explaining why the recent interest and most interestingly looking at wider ecosystem integrations coming.
https://blog.chainguard.dev/what-an-sbom-can-do-for-you/

A handy post on securing a GitHub organisation, from configuring with code to permissions, authentication, external users, audit logs and more.
https://alsmola.medium.com/securing-github-organizations-9c33c850638

CI pipelines are critical systems, but can be fragile without any form of testing in place. Here’s a handy post on testing and linting GitHub Actions to catch common mistakes.
https://cipherstash.com/blog/2021-11-25-linting-your-github-actions

A discussion of some of the pros and cons of centralised and decentralised responsibility for service operations.My experience is that what works changes over time, so being explicit and conscious of the approach is the important part.
https://medium.com/@crossbizz/let-service-teams-own-the-service-operations-instead-of-the-sre-4ff7bcbd53e0

Tools

A toolchain for keeping a set of container images for upstream software automatically updated using GitHub Actions.
https://github.com/cybersecsi/RAUDI

Updated:

You May Also Enjoy

DEVOPS WEEKLY ISSUE #693 - 14th April 2024

2 minute read

I’ve been crazy busy this week and travelling today, and with it being the start of a new quarter I thought a highlights issue, with some of the top posts fr...

DEVOPS WEEKLY ISSUE #690 - 24th March 2024

1 minute read

Unreliable platform engineering, scaling databases, configuration management, software supply chain security and more this week. A good mix of interesting to...